The introduction is vague, but basically notes that those who approach information in a strictly technical or business sense risk failure by ignoring the social context in which information resides. Information does not exist of itself, but is produced and consumed by people, and thus is a construct and artifact of our social environment.

Chapter one talks about information overload. Bots are discussed in chapter two: not the botnets (simple programs distributed over multiple computers) that everyone agrees should be eliminated, but the range of software agents that we use without thinking. The authors note that the interactions between these bots are inherently impossible to control, and the material prophecies the recent problems in content blocking such as affected the Hugo awards and Michelle Obama. Chapter three examines various social issues of home (or non-office) -based work. The difference between our processes, and the way people actually work, are addressed in chapter four. A number of interesting ideas are raised, but it is (ironically) difficult to see how to put these into practice (rather than discussion of what we should do). Chapter five turns to learning and knowledge management. The authors assert that learning is primarily social, and note negative effects on business if this aspect is ignored, but actually say very little about learning or information. Chapter six explores innovation in respect to the Internet and a global economy, noting that information is difficult to control in that it is both “sticky” (resistant to change) and “leaky” (incidental disclosures of “confidential” information abound). The “background” of information is noted in chapter seven, with the authors examining the resilience of paper in the face of a determined effort to create the “paperless” office. They note studies showing that “printing” out email seemed to automatically give the data greater weight. (I wonder if this might have changed in today’s marketplace: sadly, a rather large proportion of people now seem to hold that *anything* found on the Internet, regardless of how silly, must be true.) Chapter eight, entitled “Re-education,” discusses the changing nature of universities.

There is an afterword, “Beyond Information,” touching on miscellaneous points, particularly to do with copyright.

Despite a certain lack of structure or purpose to some of the sections, the writing is both clear and entertaining. It also has that ineffable quality of readability, meaning that the reading is enjoyable even when the authors are not delivering specifically interesting information, or making a vital point in an argument. It’s a joy simply to consume the text.

In our world today, we have an abundance of many things, among which are -unexpected events. Falling meteorites, terrorist attacks, hacktivist demonstrations, blackouts, tsunamis…. well, you get the point.Now, although the majority of events I just mentioned probably fall into a Disaster Recovery category, they are nonetheless events that greatly impact our personal lives and disrupt the normal ebb and flow of the daily routine.On the professional side of life, there are also incidents that,although classified on a lower scale than a disaster, still create much disruption and depending on how they are handled, can have a long-lasting impact to the flow of business. The purpose of this article is to discuss some suggested methods of how to go about building an incident response team and related procedures that will enable this group to respond to these events expeditiously.

TERMINOLOGY DEFINED

Before we start to discuss the mechanics behind building this elite group of technical emergency responders, let’s understand what we’re up against. First of all, let’s get our terminology straight. What exactly am I referring to when I use the term – “event” and “incident“? To give this article some context, consider the following definitions courtesy of Merriam Webster…

An incident is defined as “an occurrence […] that is a separate unit of experience”.

An event can be defined as “something that happens: an occurrence” or “a noteworthy happening”.

Let’s break this down;if we use the example of a small electrical fire in the basement of a building, this can be categorized as an individual “incident” or as a “separate unit of experience”. Now, if this incident is not handled properly, it can escalate and possibly grow to become a fire so large that it consumes the entire building. The incineration of the building can be categorized as an “event“, which is sort of an umbrella term that groups causes and effects for the entire disaster or “noteworthy happening” into one category.

Applying this understanding to the enterprise, items such as a data breaches, hacking attempts, critical server crashes, website defacement or social engineering attempts can be classified as individual “incidents”. This is because they may affect business or the corporate reputation but may not completely halt the business flow of the company. If not addressed properly, these incidents,although small,could escalate and succeed in completely halting the business,resulting in a disaster or large scale “event“. Hopefully, this explanation clarifies the difference between events and incidents as this understanding will determine how each occurrence is handled. This now brings us to our next section…

PLANNING AN INCIDENT RESPONSE PROCESS

This step can seem daunting if you’ve never been involved with Incident Response or you’re trying to decide where a process like this might fit in to your particular environment. How can we go about organizing all the related business groups, technical areas and how can we find out if we’re missing anything?The good news is that in the majority of cases, there is already some type of set process that is followed whenever incidents occur. Some problems that come up, however, could be that the process may not be documented and since it’s an informal process, there is a great chance that core response components are missing or have been overlooked. The benefit to identifying any existing process that your organization may have is that it is much easier to train employees using a foundation with which they are already accustomed to. It may also be much easier to gain upper management’s support and buy-in for a process that is actively being followed albeit – informally.This support is necessary because management’s support will be needed for any funding that is required and for the allocation of time for the individuals that will be forming part of the official team. Without this support, it’s possible that your project will never get off its feet or after all the hard work,the process could be scrapped or drastically changed and then it’s back to the proverbial drawing board. This can beextremely frustrating so be sure to do your homework, identify any area that may already be built and if appropriate, incorporate this into your draft IR process.This way you’ll have a deep understanding of how the process should flow when having discussions with upper management and be able to defend any modifications, enhancements or complete overhauls.

Keep in mind that when speaking with management, your initial draft is just that – a draft. Be prepared to have a detailed conversation so you can understand what their expectations are and that you properly define what your incident process is providing. It’s possible that in these initial conversations you will identify areas that need to be modified or added.If this step is not accomplished correctly,it’s possible that the functions of your future IR team will not be understood or properly recognized.This could result in your process not being properly advertised to the enterprise, in which case it simply becomes just another “informal process”. Be sure to gain managements approval, communicate and advertise your new structure so that when an incident does occur, your new framework will be used.This will eliminate any overlap and ensure that the authority of the members of your future IR team remains fully recognized.

Some other questions that you may ponder along the way:

How far will IR processes be able to reach?

Who will make up the IR Team’s client base?

The first question relating to the reach of the IR process speaks to cases where critical services and applications are provided by external third parties. In these cases, you will have to decide on how far the IR process will flow and if a “hand-off” needs to occur. This needs to be explored at length since this will make your resolution process dependent on the efforts of an outside entity.

Questions like these are highly important because in the case of many enterprise environments, there are multiple areas that are critical to business operations. This brings us to the second question regarding the IR client base. This refers to subsidiaries or operating companies that, although separate, may fall under the auspices of the parent organization. You need to understand the relationship to these companies and if they provide critical applications, services and other related business functions. More than likely, these entities will also have to fall under the scope of your IR process and it will be necessary to identify key stakeholders at those locations to support your IR. This begs the question… who should form part of the Incident Response team?

INCIDENT RESPONSE ROLES AND RESPONSIBILITIES

Depending on what you read, you may find different titles and roles for Incident Response. The following listing is an outline of some roles and responsibilities that I used when building an IR plan at a past employer. Each environment is unique, so you will need to research your own requirements and then tailor a plan that meets your needs. Generally, the types of roles that should exist within an IR function are:

Incident Response Officer – This individual is the Incident Response champion that has ultimate accountability for the actions of the IR team and IR function. This person should be an executive level employee such as a CISO or other such corporate representatives. It would be very beneficial if this individual has direct reporting access to the CEO and is a peer of other C-level executives.

Incident Response Manager – This person is the individual that leads the efforts of the IR team and coordinates activities between all of its respective groups. Normally, this person would receive initial IR alerts and be responsible for activating the IR team and managing all parts of the IR process, from discovery, assessment, remediation and finally resolution. This individual reports to the Incident Response Officer.

Incident Response Assessment Team – This group of individuals is composed of the different areas serviced by the IR team. This allows expertise from every critical discipline to weigh in on classifications and severity decisions once an incident has been identified. It is very beneficial to have representatives from IT, Security, Application Support and other business areas. In the event of an incident, the IR Manager would gather details of the incident from the affected site, begin tracking and documentation (possibly through an internal ticket management system) and then activate the Assessment Team. This group would then discuss the details of the incident and based on their expertise and knowledge of the business, would then be able to assign an initial severity. This team reports to the IR Manager.

Remote Incident Response Coordinator – This role should be assigned to qualified and capable individuals that are located in other geographic areas. These individuals ultimately report to the Incident Response Manager but in their geographic region, they are recognized as IR leaders. This will allow these assistants to manage the efforts of local custodians during an incident. This configuration is very useful, especially for organizations that have offices in multiple time zones. If an IR Manager is located in the United States but an incident occurs in a Malaysian branch, it will be helpful to have a local security leader that is able to direct efforts and provide status updates to the Incident Manager. This way, regardless of the time zone the correct actions will be invoked promptly.

Incident Response Custodians – These individuals are the technical experts and application support representatives that would be called upon to assist in the remediation and resolution of a given incident. They report to the Incident Response Manager or to the Remote IR Coordinator(s) depending on their location(s).

Once you’ve been able to identify the proper stakeholders that will form your team, you will have to provide an action framework they’ll be able to use when carrying out their responsibilities. Think of this “action framework” as a set of training wheels that will guide your IR team. What does this mean? Let’s move on to the next section to discuss this…

INCIDENT RESPONSE PROCESS FLOW

A part of outlining this framework involves the identification of IR Severity Levels. These levels will help your team understand the severity of an event and will govern the team’s response. Some suggestions for these levels are the following:

SEVERITY LEVEL

LEVEL OF BUSINESS IMPACT

RESOLUTION EFFORT REQUIRED

SEVERITY 1

LOW

LOW EFFORT

SEVERITY 2

MODERATE

MODERATE EFFORT

SEVERITY 3

HIGH

EXTENSIVE, ONGOING EFFORT

SEVERITY 4

SEVERE

DISASTER RECOVERY INVOKED

Earlier in this article, I mentioned the benefit of identifying any existing informal process that your company may already be following. If so, it will now be necessary for you to step through that process mentally, keeping in mind your identified severity levels so that you can start to document each step of the process. You will undoubtedly start to remove irrelevant portions of the informal process but may opt to keep certain items in place. (For example, certain notification procedures may still be useful and you may continue to use these in your new IR process to alert members of your team). If you don’t have a starting point like this and you’re starting from scratch, then perhaps the following suggestions can provide some direction.

Start to create a documented action script that will outline your response steps so your IR Manager can follow them consistently. Your script should show steps similar to the following:

STEP #

ACTION

1

Incident announced

2

IR Manager alerted

3

IR Manager begins information gathering from affected site

4

IR Manager begins tracking and documentation of incident

5

IR Manager invokes Assessment Team
(Details of call bridge or other communication mechanism)

6

Assessment Team reviews details and decides on Severity Level of incident.

7

IF SEV 1 = PROCEED TO STEP #11.0

8

IF SEV 2 = PROCEED TO STEP #12.0

9

IF SEV 3 = PROCEED TO STEP #13.0

10

IF SEV 4 = PROCEED TO STEP #14.0

FOR SEVERITY LEVEL 1 – Proceed with following sequence

11.0

Determine attack vectors being used by threat

11.1

Determine network locations that are impacted

11.2

Identify areas that fall under “Parent Organization”

11.3

Identify systems or applications that are impacted

FOR SEVERITY LEVEL 2 – Proceed with following sequence

12.0

Determine attack vectors being used by threat

12.1

Alert Incident Officer to Severity 2 threat

This of course is an extremely high level example, but as you can see, it is possible to flesh out the majority of the process with specific action items for each severity level. Be sure to thoroughly research your unique environment to develop a process that fits your needs. You may have to add custom steps to cover incidents that span multiple countries and subsidiaries. Once you’ve created your process.you may want to consider developing small wallet size scripts for the members of your Assessment Team and other key players on which you will need to depend to make this run efficiently. In this way, each member will have necessary information on hand that will allow them to respond as expected.

This article just scratches the surface of the work that is required to build a full IR process but hopefully this has given you some direction and additional areas to explore when planning your next IR project!

Run the commands bellow to enable remote management of the Root CA:Enable-NetFirewallRule -DisplayGroup "Remote Service Management"
Note: The above command should be written in single line.Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

Offline Root CA – Certificate Authority server installation phase

To login to the server, press CTRL+ALT+DELETE -> specify the “Administrator” account credentials.

From the command prompt window, run the command bellow:powershell

Run the command below to create CA policy file:notepad c:\windows\capolicy.inf

Run the commands below to install Certification Authority using Powershell:Import-Module ServerManagerAdd-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools
Note: The above command should be written in single line.

Run the command below to remove all default CRL Distribution Point (CDP):$crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};
Note: The above command should be written in single line.

Run the commands below to configure new CRL Distribution Point (CDP):Add-CACRLDistributionPoint -Uri C:\Windows\System32\CertSrv\CertEnroll\%3%8.crl -PublishToServer -Force
Note: The above command should be written in single line.Add-CACRLDistributionPoint -Uri http://www/CertEnroll/%3%8.crl -AddToCertificateCDP -Force
Note: The above command should be written in single line.

Run the command below to remove all default Authority Information Access (AIA):$aialist = Get-CAAuthorityInformationAccess; foreach ($aia in $aialist) {Remove-CAAuthorityInformationAccess $aia.uri -Force};Note: The above command should be written in single line.

Run the command below to configure new Authority Information Access (AIA):Add-CAAuthorityInformationAccess -AddToCertificateAia -uri http://www/CertEnroll/%1_%3.crt
Note: The above command should be written in single line.

Run the commands bellow from command line, to configure the Offline Root CA to publish in the active-directory:certutil.exe -setreg ca\DSConfigDN "CN=Configuration, DC=mycompany,DC=com"
Note 1: The above command should be written in single line.
Note 2: Replace “DC=mycompany,DC=com” according to your domain name.certutil.exe -setreg ca\DSDomainDN "DC=mycompany,DC=com"
Note: Replace “DC=mycompany,DC=com” according to your domain name.

Run the command bellow to stop the CertSvc service:Restart-Service certsvc

Run the commands below to install Certification Authority using Powershell:Import-Module ServerManagerAdd-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools
Note: The above command should be written in single line.Add-WindowsFeature Web-Mgmt-Console
Add-WindowsFeature Adcs-Web-Enrollment

Open Server Manager -> From the “Welcome to Server Manager”, click on notification icon -> click on “Configure Active Directory Certificate Services on the destination server”

Run the command below to approve the subordinate CA request:certutil -resubmit 2
Note: Replace “2″ with the request ID.

Run the command below to command to download the new certificate.certreq -retrieve 2 "C:\<CACertFileName>.cer"
Note 1: Replace “CACertFileName” with the actual CER file.
Note 2: Replace “2″ with the request ID.

Logoff the Root CA and power it off for up to 179 days (for CRL update).

Return to the Subordinate CA.

Copy the file “c:\<CACertFileName>.cer” from the Offline Root CA to the Subordinate CA.
Note: Replace “CACertFileName” with the actual CER file.

Run the command below to remove all default CRL Distribution Point (CDP):$crllist = Get-CACrlDistributionPoint; foreach ($crl in $crllist) {Remove-CACrlDistributionPoint $crl.uri -Force};
Note: The above command should be written in single line.

Run the commands below to configure new CRL Distribution Point (CDP):Add-CACRLDistributionPoint -Uri C:\Windows\System32\CertSrv\CertEnroll\%3%8%9.crl -PublishToServer -PublishDeltaToServer -Force
Note: The above command should be written in single line.Add-CACRLDistributionPoint -Uri http://www/CertEnroll/%3%8%9.crl -AddToCertificateCDP -Force
Note: The above command should be written in single line.Add-CACRLDistributionPoint -Uri file://\\<SubordinateCA_DNS_Name>\CertEnroll\%3%8%9.crl -PublishToServer -PublishDeltaToServer -Force
Note 1: The above command should be written in single line.
Note 2: Replace “<SubordinateCA_DNS_Name>” with the actual Subordinate CA DNS name.

Run the command below to remove all default Authority Information Access (AIA):$aialist = Get-CAAuthorityInformationAccess; foreach ($aia in $aialist) {Remove-CAAuthorityInformationAccess $aia.uri -Force};
Note: The above command should be written in single line.

Run the commands below to configure new Authority Information Access (AIA):Add-CAAuthorityInformationAccess -AddToCertificateAia http://www/CertEnroll/%1_%3%4.crt -Force
Note: The above command should be written in single line.Add-CAAuthorityInformationAccess -AddToCertificateAia "ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11"Note: The above command should be written in single line.Add-CAAuthorityInformationAccess -AddToCertificateOcsp http://www/ocsp -Force
Note: The above command should be written in single line.

Login to a domain controller in the forest root domain, with account member of Domain Admins and Enterprise Admins.

Open Server Manager -> Tools -> Active Directory Users and Computers.

From the left pane, expand the domain name -> choose an OU and create the following groups:
Group name: CA Admins
Group description/purpose: Manage CA server
Group name:CA Issuers
Group description/purpose: Issue certificates

Logoff the domain controller.

Login to the Subordinate CA using administrative account, who is also member of the “CA Admins” group.

Open Server Manager -> Tools -> Certification Authority.

From the left pane, right click on the CA server name -> Properties -> Security tab -> Add -> add the “CA Admins” group -> grant the permissions “Issue and Manage Certificates” and “Manage CA” and remove all other permissions -> click on OK.
Note: As best practices, it is recommended to remove the default permissions of “Domain Admins” and “Enterprise Admins”.

From the left pane, expand the CA server name -> right click on Certificate Templates -> Manage -> from the main pane, right click on “User” certificate -> Duplicate Template -> General tab -> rename the template to “Custom User Certificate” -> Security tab -> click on Add -> add the “CA Issuers” group -> grant the permission “Read”, “Enroll” and “Autoenroll” -> click on OK.

Email retention policies are no longer just about conserving space on your Exchange server. Today you must take into account how your email retention controls increase or decrease risk to your company.

Pros and Cons of Short and Long Email Retention Policies

Generally speaking, longer email retention policies increase the risk that a security vulnerability or unauthorized user could expose your company’s secrets or embarrassing material. Long policies also increase your company’s exposure to legal examination that focuses on conversations and decisions captured in emails (this is also known as the “paper trail” in an “eDiscovery” process).

Shorter email retention policies help avoid these problems and are cheaper to implement, but they have their own significant disadvantages as well. First, short policies tend to annoy long-term employees and often executives, who rely on old email chains to recollect past decisions and the context in which they were made. Second, short policies may violate federal, state, local and/or industry regulations that require certain types of information to be retained for a minimum period of time – often years!

Best Practices to Develop Your Email Retention Policy

Obviously, you must balance these factors and others when you develop your own email retention policy, but there are a number of best practices that can help you draft and get support for a solid email retention policy. Today, I’ll be covering five practices often used by effective professionals and managers.

Your email retention policy should begin by listing the various regulations your company is subject to and the relevant document retention requirements involved with each regulation.

Every industry is regulated differently, and businesses are often subject to different tax, liability and privacy regulations depending on the locations in which they do business. However, some common recommended retention periods include:

As you can see from the list above, recommended retention periods vary widely even within highly regulated industries. With that in mind, it often pays to segment different types or uses of email into different retention periods to avoid subjecting your entire online email store to the maximum email retention period.

Mixed segmentation is also often common and looks something like this:

Human resources – 7 years

Transaction receipts – 3 years

Executive email – 2 years

Spam – not retained

Everything else (e.g., “default retention policy”) – 1 year

The rules and technologies you use to inspect, classify and segment can vary from simple sender- and subject-matching to sophisticated engines that intuit intent and history. (Unfortunately, space does not permit us to examine these technologies here, but trust me – they exist!)

Email Retention Policy Best Practice #3:

Draft a Real Policy…But Don’t Include What You Won’t Enforce

A written policy, approved by legal counsel and senior management, will give you the requirements and authority to implement all the IT, security and process controls you need. If you haven’t seen a full retention policy yet, please take the time to search the web for a few, such as this template from the University of Wisconsin. (Go Badgers! Sorry…proud alum.)

Note that many “email retention policy” documents (including the UW template) cover much more than email! In general, this is OK because a “document policy” gives you what you need to implement an “email policy”, but you’ll want to make a point of talking the “document vs. email” terminology through with your legal team before you finalize your policy.

A good written policy (again, including the UW template) always contains these sections:

Purpose: why does this policy exist? If specific regulations informed the creation of this policy, they should all be listed here.

Retention time, by segment: how long various types of content or content used in a particular manner must be retained (the UW template segments by type of content). Durations are often listed in years, may include triggers (e.g., “after X”) and may even be “Permanent”.

What constitutes “destruction”: usually shredding and deleting, often “secure deletion” (e.g., with overwriting) and degaussing of media where applicable.

Pause destruction if legal action imminent: your legal department will normally add this for you, but you can show off your legal bona fides by including a clause instructing IT to pause automatic email deletion if the company becomes the subject of a claim or lawsuit (this is also called a “litigation hold”).

Who is responsible: typically everyone who touches the documents, often with special roles for certain titles (e.g., “Chief Archivist”) or groups (e.g., “legal counsel”).

Good written policies omit areas that you won’t or can’t support, especially types of segmentation you will not be able to determine or support. Good policies also refer to capabilities and requirements (e.g., offsite archival) rather than specific technologies and processes (e.g., DAT with daily courier shipments).

Purchase transaction emails : also archive to offline storage until 5 years have passed

Legal emails: also archive to offline storage until 7 years have passed

“Fast storage” = accessible through end user’s email clients through “folders”; normally only individual users can access, but administrators and archival specialists (e.g., the legal team) can access too

“Offline storage” = accessible through internal utility and search; only administrators and archival specialists (e.g., the legal team) can access

To price an appropriate solution, you would restate your requirements based on number of users, expected volume of email and expected rate of growth. For example, in a 500-person company where each user averaged 1MB and 100 messages of email a day, there were 5000 additional transaction emails (total 50MB) a day and 100 additional legal emails (total 20MB) a day, and volumes were expected to increase 10% per year, here’s how we might estimate minimum requirements for the next seven years:

However, after you’ve priced out your preferred solution, you still need to be prepared to handle alternatives that may result from discussions with legal or your executive team. For example, if the executive team pushes your 18 month blanket retention to 3 years and the legal team “requires” that its emails are always in near-term email storage, how would that change your requirements and pricing?

Long story short, if you can figure out your own rule-of-thumb per-GB price for the various types of storage necessary to support your archiving scheme (as well as licensing considerations, including any per-message or per-type-of-message rules) you’ll be better prepared for “horse trading” later in the approval process.

Email Retention Policy Best Practice #5: Once You Draft Your Policy, Include Legal Before the Executives

If you’re still reading this, chances are good that you (like me) are a senior IT or security professional, or are perhaps even a manager. If you’ve drafted other IT policies, such as an “acceptable use” policy, your first instinct might be to keep your legal team out of the process until your new policy has snowballed down from your IT-based executive sponsor. This is almost always a mistake.

The main reason legal should be included as soon as you have a draft is that two of the best practices listed above (regulatory minimums and viability of segmentation) are really legal’s call – not yours! You will have saved legal a lot of legwork by researching the main drivers of email retention policy and the technical controls you can use to enforce the policy, but at the end of the day legal will be called upon to defend the company’s decision to keep or toss critical information, so legal will need to assign the final values to your policy limits.

A second reason to include legal before your executives is that you want to present a unified front (as IT and legal) on your maximum retention limits. Once you get into negotiations with your executive team, legal will likely be pushing for even shorter limits (because it limits the threat of hostile eDiscovery) and the executives will be pushing for even longer limits (because email is their old document storage). This puts you (as IT) in the rational middle and gives your policy a good chance of making it through the negotiations relatively unscathed.

The final reason you want to include legal early is that their calls may force you to reprice the options you laid out before you talked to them, and may cause you to take some options off the table. If you reversed the process and got executives to sign off on a solution that got vetoed by legal and sent back to the executive team for a second round of “ask,” I think you know that no one would be happy.

Conclusion: Your Email Retention Policy Will Be Your Own

Given all the different constraints your organization faces and all the different ways your interactions with your legal and executive team could go, it would be impossible for me to predict what any company’s email retention policy would be. However, if you follow these five best practices when you develop your own, you stand a better-than-average chance of drafting an email retention policy that’s sensible, enforceable, and loved by legal and top management alike.

85.4% of statistic can be interpreted in the opposite way, and AV has been declared dead regularly since 1987.

Symantec “invented commercial antivirus software in the 1980s”? That must come as news to the many companies, like Sophos, that I was reviewing long before Symantec bought out their first AV company.

“Dye told the Wall Street Journal that hackers increasingly use novel methods and bugs in the software of computers to perform attacks.”

There were “novel attacks” in 1986, and they got caught. There have been novel attacks every year or so since, and they’ve been caught. At the same time, lots of people get attacked and fail to detect it. There’s never a horse that couldn’t be rode, and there’s never a rider that couldn’t be throwed.

“Malware has become increasingly complex in a post-Stuxnet world.”

So have computers. Even before Stuxnet. I think it was Grace Hopper who said that the reason it is difficult to secure complex systems is because they are complex systems. (And she died a while back.)

This appears to be kind of like those Kafka-esque errors that big governmentsometimes make [1] (and which reinforce the arguments against the “if you’re not doing anything wrong you don’t need privacy” position), with the added factor that there is absolutely nothing that can be done about it.

I suppose an individual programmer could bring civil suit against Google (and its undoubtedly huge population of lawyers) citing material damages for being forbidden from participating in the Google/Play/app store, but I wouldn’t be too sanguine about his chances of succeeding …

[1] – since the foreign workers program seems to be being used primarily to bring in workers for the oil and gas sector right now, do you think it would help if she offered to mount a production of “Grease”?

On the one hand, I’m not entirely sure that the auditor general completely understands disaster planning, and she hasn’t read Kenneth Myers and so doesn’t know that it can be counter-productive to produce plans for every single possibility.

On the other hand, I’m definitely with Vaugh Palmer in that we definitely need more public education. We are seeing money diverted from disaster planning to other areas, regardless of a supposed five-fold increase in emergency budget. In the past five years, the professional association has been defunded, training is very limited in local municipalities, and even recruitment and “thank you” events for volunteers have almost disappeared. Emergency planning funds shouldn’t be used to pay for capital projects.

(And the province should have been prepared for an audit in this area, since they got a warning shot last year.)

I was given a Win8Phone recently. I suppose it may seem like looking a gift horse in the mouth to review it, but:

I must say, first off, that the Nokia Lumia has a lot of power compared to my other phone (and Android tablets), so I like the responsiveness using Twitter. The antenna is decent, so I can connect to hotspots, even at a bit of a distance. Also, this camera is a lot better than those on the three Android machines.

I’m finding the lack of functionality annoying. There isn’t any file access on the phone itself, although the ability to access it via Windows Explorer (when you plug the USB cable into a Windows 7 or 8 computer) is handy.

I find the huge buttons annoying, and the interface for most apps takes up a lot of space. This doesn’t seem to be adjustable: I can change the size of the font, but only for the content of an app, not for the frame or surround.

http://www.windowsphone.com/en-us/how-to/wp8 is useful: that’s how I found out how to switch between apps (hold down the back key and it gives you a set of
icons of running/active apps).

The range of apps is pathetic. Security aside (yes, I know a closed system is supposed to be more secure), you are stuck with a) Microsoft, or b) completely unknown software shops. You are stuck with Bing for search and maps: no Google, no Gmail. You are stuck with IE: no Firefox, Chrome, or Safari. Oh, sorry, yes you *can* get Firefox, Chrome, and Safari, but not from Mozilla, Google, or Apple: from developers you’ve never heard of. (Progpack, maker(s) of the Windows Phone store version of Safari, admits it is not the real Safari, it just “looks like it.”) You can’t get YouTube at all. No Pinterest, although there is a LinkedIn app from LinkedIn, and a Facebook app–from Microsoft.

It’s a bit hard to compare the interface. I’m comparing a Nokia Lumia 920 which has lots of power against a) the cheapest Android cell phone Bell had when I had to upgrade my account (ver 2.2), b) an Android 4.3 tablet which is really good but not quite “jacket” portable, and c) a Digital2 Android 4.1 mini-tablet which is probably meant for children and is *seriously* underpowered.

Don’t know whether this is the fault of Windows or the Nokia, but the battery indicators/indications are a major shortcoming. I have yet to see any indication that the phone has been fully charged. To get any accurate reading you have to go to the battery page under settings, and even that doesn’t tell you a heck of a lot. (Last night when I turned it off it said the battery was at 46% which should be good for 18 hours. After using it four times this morning for a total of about an hour screen time and two hours standby it is at 29%.)

(When I installed the Windows Phone app on my desktop, and did some file transfers while charging the phone through USB I found that the app has a battery level indicator on most pages, so that’s helpful.)

Linkedin is a much better platform for Nigerian scammers: They now have my first and last name, information about me, etc. So they can craft the following letter (sent by this guy):

Hello Aviram Jenik,

I am Dr Sherif Akande, a citizen of Ghana, i work with Barclay’s Bank Ltd, Ghana. I have in my bank Existence of the Amount of money valued at $8.400,000.00, the big hurt Belongs to the customer, Peter B.Jenik, who Happen To Have The Same name as yours. The fund is now without any Claim Because, Peter B.Jenik, in a deadly earthquake in China in 2008. I want your cooperation so that bank will send you the fund as the beneficiary and located next of kin to the fund.

This transaction will be of a great mutual assistance to us. Send me your reply of interest so that i will give you the details. Strictly send it to my private email account {sherifakande48@gmail.com} or send me your email address to send you details of this transaction.

At the receipt of your reply, I will give you details of the transaction.I look forward to hear from you. I will send you a scan copy of the deposit certificate.

Send me an email to my private email account {sherifakande48@gmail.com}for more details of the transaction.

A family member recently encountered credit card fraud. That isn’t unusual, but there were some features of the whole experience that seemed odd.

First off, the person involved is certain that the fraud relates to the use of the card at a tap/RFID/proximity reader. The card has been in use for some time, but the day before the fraudulent charges the card was used, for the first time, at a gas pump with a “tap” reader.

(I suspect this is wrong. The card owner feels that gas pumps, left unattended all night, would be a prime target for reader tampering. I can’t fault that logic, but the fact that an address was later associated with use of the card makes me wonder.)

At any rate, the day after the gas was purchased, two charges were made with the credit card. One was for about $600.00, and was with startech.com, a supplier of computer parts, particularly cables, based in Ontario. The other charge was for almost $4000.00, and was with megabigpower.com, which specializes in hardware devices for Bitcoin mining, and operates out of Washington state. (Given the price list, this seems consistent with about 8 Bitcoin mining cards, or about 20 USB mining devices.) The credit card company was notified, and the card voided and re-issued.

A few days after that, two boxes arrived–at the address of the cardholder. One came from startech.com via UPS and was addressed to John Purcer, the other was from megabigpower.com via Fedex and was addressed to Tom Smyth. Both were left at the door, refused and returned to the delivery companies. (At last report, the cardholder was trying to get delivery tracking numbers to ensure that the packages were returned to the companies.)

As noted previously, this is where I sat up. Presumably a simple theft of the card data at a reader could not provide the cardholder’s address data. An attempt might be made to ensure that the “ship to” address is the same as the “bill to” address (one of the companies says as much on its billing page), but I further assume that a call to the credit card company with a “hey, I forgot my address” query wouldn’t fly, and I doubt the credit card company would even give that info to the vendor company.

One further note: I mentioned to the cardholder that it was fortunate that the shipment via UPS was from the Canadian company, since UPS is quite unreasonable with charges (to the deliveree) involving taking anything across a border. (When I was doing a lot more book reviews in the old days, I had to add a standard prohibition against using UPS to all my correspondence with companies outside Canada.) When UPS was contacted about this delivery, the agent reported that the package was shown as delivered, with a note of “saw boy,” presumably since the cardholder’s son was home, or in the vicinity of the house, at the time of delivery. The cardholder was understandably upset and asked to have that note taken off the record, and was then told a) the record could not be changed, and b) that was a standard code, presumably built-in to the tracking devices the drivers carry.

It is always a pleasure to read something from Vinge. His characters are interesting, his plots sufficiently convoluted, and his writing clear and flowing. In addition, for the geek, his understanding of the technology is realistic and fundamental, which makes a change from so many who merely parrot jargon they do not comprehend.

Of course, this is future technology we are talking about, so none of it is (currently) real. But it could be, without the wild flights of illogic that so abound in fiction.

In this book, we have a future with interconnectedness around the globe. Of course, this means that there are dangers, in regard to identity and authentication. The new technology protects against these dangers with a Secure Hardware Environment. (Or SHE, and, since the DHS mandates that everyone must use it, does that make it SHE-who-must-be-obeyed?)

Encryption is, of course, vital to the operations, and so is used a lot, often in multiple layers. It is probably a measure of the enjoyability of Vinge’s work that I really didn’t take note of the fact that two of the characters were named Alice and Bob. Not, that is, until late in the volume, when the author also briefly introduces a character named Eve Mallory.

I got a call today from “James,” of the “computer maintenance department.”

I suppose this may work better against those who actually have a computer maintenance department. Since I’m self-employed, it’s pretty obvious that this is phony. Sometimes, though, “James” or his friends call from Microsoft or other such possibilities.

Just in case anyone doesn’t know, these are false, attempts to get you to damage your own computer, or install something nasty. They can then charge you for spurious repairs, add you to a botnet, or mine your computer for account information.

Oh, and also, as chance would have it, today I got my first completely automated spam/fraud/telemarketing call: a computer generated voice and voice response system, asking how I was, and then, when I didn’t respond, was I there. Probably would have been fun to try and push the limits of it’s capability, but I didn’t have time …

First, it is true that the behaviours the “cyberbullying” bill address, those of spreading malicious and false information widely, generally using anonymous or misleading identities, do sound suspiciously close to those behaviours in which politicians engage themselves. It might be ironic if the politicians got charged under the act.

Secondly, whether bill C-13 is just a thinly veiled re-introduction of the reviled C-30 is an open question. (As one who works with forensic linguistics, I’d tend to side with those who say that the changes in the bill are primarily cosmetic: minimal changes intended to address the most vociferous objections, without seriously modifying the underlying intent.)

However, Den Tandt closes with an insistence that we need to address the issue of online anonymity. Removing anonymity from the net has both good points and bad, and it may be that the evil consequences would outweigh the benefits. (I would have thought that a journalist would have been aware of the importance of anonymous sources of reporting.)

More importantly, this appeal for the banning of anonymity betrays an ignorance of the inherent nature of networked communitcation. The Internet, and related technologies, have so great an influence on our lives that it is important to know what can, and can’t, be done with it.

The Internet is not a telephone company, where the central office installs all the wires and knows at least where (and therefore likely who) a call came from. The net is based on technology whish is designed, from the ground up, in such a way that anyone, with any device, can connect to the nearest available source, and have the network, automatically, pass information to or from the relevant person or site.

The fundamental technology that connects the Internet, the Web, social media, and pretty much everything else that is seen as “digital” these days, is not a simple lookup table at a central office. It is a complex interrelationship of prototcols, servers, and programs that are built to allow anyone to communicate with anyone, without needing to prove your identity or authorization. Therefore, nobody has the ability to prevent any communication.

There are, currently, a number of proposals to “require” all communications to be identified, or all users to have an identity, or prevent anyone without an authenticated identity from using the Internet. Any such proposals will ultimately fail, since they ignore the inherent foundational nature of the net. People can voluntarily participate in such programs–but those people probably wouldn’t have engaged in cyberbullying in any case.

John Gilmore, one of the people who built the basics of the Internet, famously stated that “the Internet interprets censorship as damage and routes around it.” This fact allows those under oppressive regimes to communicate with the rest of the world–but it also means that pornography and hate speech can’t be prevented. The price of reasonable commuincations is constant vigilance and taking the time to build awareness. A wish for a technical or legal shortcut that will be a magic pill and “fix” everything is doomed to fail.

So, was reading up on the NSA backdoors for Cisco and other OSes, http://cryptome.org/2014/01/nsa-codenames.htm, and got to thinking about how the NSA might exfiltrate their data or run updates…It’s gotta be pretty stealthy, and I’m sure they have means of reflecting data to/from their Remote Operations Center (ROC) in such a way that you can’t merely look at odd destination IPs from your network.

This got me thinking about how I would find such data on a network. First off, obviously, I’d have to tap the firewall between firewall and edge router. I’d also want to tap the firewall for all internal connections. Each of these taps would be duplicated to a separate network card on a passive device.

1) eliminate all traffic that originated from one interface and went out another interface. This has to be an exact match. I would think any changes outside of TTL would be something that would have to be looked at.

2) what is left after (1) would have to be traffic originating from the firewall (although not necessarily using the firewalls IP or MAC). That’s gotta be a much smaller set of data.

3) With the data set from (2), you’ve gotta just start tracing through each one.

This would, no doubt, be tons of fun. I don’t know how often the device phones home to the ROC, what protocol they might use , etc…

If anyone has any ideas, I’d love to hear them. I find this extremely fascinating.